1 files changed, 211 insertions, 0 deletions

diff --git a/terraform/networking.tf b/terraform/networking.tf
new file mode 100644
index 00000000..3293c8c8
--- /dev/null
+++ b/terraform/networking.tf
@@ -0,0 +1,211 @@
+resource "openstack_networking_network_v2" "baserock_network" {
+  name           = "Baserock Network"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "baserock_subnet" {
+  name       = "Baserock Subnet"
+  network_id = "${openstack_networking_network_v2.baserock_network.id}"
+  cidr       = "10.3.0.0/24"
+  ip_version = 4
+}
+
+
+data "openstack_networking_network_v2" "external_network" {
+  name = "ext-net"
+}
+
+resource "openstack_networking_router_v2" "baserock_router" {
+  name                = "Baserock Router"
+  admin_state_up      = true
+  external_network_id = data.openstack_networking_network_v2.external_network.id
+}
+
+resource "openstack_networking_router_interface_v2" "baserock_router_interface" {
+  router_id = "${openstack_networking_router_v2.baserock_router.id}"
+  subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+}
+
+# Security groups
+
+resource "openstack_networking_secgroup_v2" "sg_base" {
+  name        = "base"
+  description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" {
+  direction         = "egress"
+  ethertype         = "IPv6"
+  remote_ip_prefix  = "::/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+
+
+resource "openstack_networking_secgroup_v2" "sg_haste_server" {
+  name        = "haste-server"
+  description = "Allow incoming TCP requests for haste server"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 7777
+  port_range_max    = 7777
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}"
+}
+
+resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" {
+  name        = "gitlab-bot"
+  description = "Allow incoming TCP requests for gitlab-bot"
+  delete_default_rules = "true"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 1337
+  port_range_max    = 1337
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}"
+}
+
+
+resource "openstack_networking_secgroup_v2" "sg_git_server" {
+  name        = "git-server"
+  description = "Allow inbound SSH, HTTP, HTTPS and Git requests."
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 9418
+  port_range_max    = 9418
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+
+
+resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" {
+  name        = "shared-artifact-cache"
+  description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22200
+  port_range_max    = 22200
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+
+
+resource "openstack_networking_secgroup_v2" "sg_web_server" {
+  name        = "web-server"
+  description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)"
+  delete_default_rules = "true"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}"
+}